VLAN102 is defined via subinterface on my ASA 5506-X. IP subnet is 172.16.20.x. DNS servers live on VLAN100 as does a Windows domain. DNS and Windows services are ACL allowed between VLAN102 and VLAN100. I'm focused on DNS for this posting.
AnyConnect setup was configured via ASDM wizard, AnyConnect vpn clients are placed on VLAN102 via the assigned pool, 172.16.20.250-254 (testing pool therefore quite small). Authentication and connection goes smoothly for these VPN clients. These VPN clients can talk to other hosts on VLAN102 without issue. Clients wired into VLAN102 have no issues with DNS. VPN clients, connected via AnyConnect, however cannot perform DNS lookups to the VLAN100 servers, as desired. Logged error is, somewhat predictably I'm learning:
5 305013 172.16.20.250 61706 10.0.20.80 53 Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:172.16.20.250/61706(LOCAL\pjt@int.paulteeter.net) dst inside:10.0.20.80/53 denied due to NAT reverse path failure
Syslog Details go on to elaborate:
An attempt to connect to a mapped host using it's actual address was rejected.
Pertinent running config should be...
ip local pool IPv4_VLAN102_Pool 172.16.20.250-172.16.20.254 mask 255.255.254.0 interface GigabitEthernet1/2.100 description VLAN100_Management_Server vlan 100 nameif inside security-level 100 ip address 10.0.20.1 255.255.252.0 interface GigabitEthernet1/2.102 description VLAN102_Testing vlan 102 nameif insideTesting security-level 80 ip address 172.16.20.1 255.255.254.0 object network NETWORK_OBJ_172.16.20.248_29 subnet 172.16.20.248 255.255.255.248 object network NETWORK_OBJ_172.16.20.0_23 subnet 172.16.20.0 255.255.254.0 object-group service DNS description DNS over tcp & udp service-object tcp-udp destination eq domain object-group network VLAN100_DNS_Servers network-object host 10.0.20.80 network-object host 10.0.20.19 access-list ForVLAN102 extended permit object-group DNS object Testing object-group VLAN100_DNS_Servers access-list ForVLAN102 extended permit ip any any nat (insideTesting,outside) source static NETWORK_OBJ_172.16.20.0_23 NETWORK_OBJ_172.16.20.0_23 destination static NETWORK_OBJ_172.16.20.248_29 NETWORK_OBJ_172.16.20.248_29 no-proxy-arp route-lookup object network Testing nat (insideTesting,outside) dynamic interface access-group ForVLAN102 in interface insideTesting group-policy GroupPolicy_AnyConnect_basicAuth_VLAN102 internal group-policy GroupPolicy_AnyConnect_basicAuth_VLAN102 attributes wins-server none dns-server value 10.0.20.80 10.0.20.19 vpn-tunnel-protocol ssl-client default-domain value int.mydomain.net tunnel-group AnyConnect_basicAuth_VLAN102 type remote-access tunnel-group AnyConnect_basicAuth_VLAN102 general-attributes address-pool IPv4_VLAN102_Pool authentication-server-group Active_Directory default-group-policy GroupPolicy_AnyConnect_basicAuth_VLAN102 tunnel-group AnyConnect_basicAuth_VLAN102 webvpn-attributes group-alias AnyConnect_basicAuth_VLAN102 enable group-url https://vpn.mydomain.net/basicAuthVLAN102 enable without-csd
Let me know if additional config details would be helpful.
From various postings here and on Cisco's community, it seems like my VPN ip pool is not being NAT exempted properly...possibly?
I was considering a static NAT of each VLAN100 DNS server to VLAN102 but am not certain that would even help.
Curious to hear suggestions about how to fix my config to support what I'm trying to do. Am open to split-tunnel option such that only VLAN102-intended traffic does DNS via the VLAN100 servers. But sending all DNS requests to the VLAN100 servers is just fine.
No comments:
Post a Comment